commit 6348ae07835a05f78ab3ada1f7293665a410a273 Author: Greg Kroah-Hartman Date: Tue Apr 12 07:52:17 2022 +0200 Linux 4.9.310 Link: https://lore.kernel.org/r/20220406182436.675069715@linuxfoundation.org Tested-by: Florian Fainelli Tested-by: Pavel Machek (CIP) Tested-by: Shuah Khan Signed-off-by: Greg Kroah-Hartman commit 7815cbf19ac47ca0cc22b0d8aa25d6ec6ab2ad81 Author: James Morse Date: Wed Apr 6 17:45:46 2022 +0100 arm64: Use the clearbhb instruction in mitigations commit 228a26b912287934789023b4132ba76065d9491c upstream. Future CPUs may implement a clearbhb instruction that is sufficient to mitigate SpectreBHB. CPUs that implement this instruction, but not CSV2.3 must be affected by Spectre-BHB. Add support to use this instruction as the BHB mitigation on CPUs that support it. The instruction is in the hint space, so it will be treated by a NOP as older CPUs. Reviewed-by: Russell King (Oracle) Reviewed-by: Catalin Marinas [ modified for stable: Use a KVM vector template instead of alternatives ] Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 9396d5ede3df91cc71c70a7fb11826a10c34e775 Author: James Morse Date: Wed Apr 6 17:45:45 2022 +0100 arm64: add ID_AA64ISAR2_EL1 sys register commit 9e45365f1469ef2b934f9d035975dbc9ad352116 upstream. This is a new ID register, introduced in 8.7. Signed-off-by: Joey Gouly Cc: Will Deacon Cc: Marc Zyngier Cc: James Morse Cc: Alexandru Elisei Cc: Suzuki K Poulose Cc: Reiji Watanabe Acked-by: Marc Zyngier Link: https://lore.kernel.org/r/20211210165432.8106-3-joey.gouly@arm.com Signed-off-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit df0448480b9c2f0a2f5a5055e04afa80bf0a5301 Author: James Morse Date: Wed Apr 6 17:45:44 2022 +0100 KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and migrated commit a5905d6af492ee6a4a2205f0d550b3f931b03d03 upstream. KVM allows the guest to discover whether the ARCH_WORKAROUND SMCCC are implemented, and to preserve that state during migration through its firmware register interface. Add the necessary boiler plate for SMCCC_ARCH_WORKAROUND_3. Reviewed-by: Russell King (Oracle) Reviewed-by: Catalin Marinas [ kvm code moved to arch/arm/kvm, removed fw regs ABI. Added 32bit stub ] Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 4dd8aae585a51a1d276911fe19096ad90144e9fe Author: James Morse Date: Wed Apr 6 17:45:43 2022 +0100 arm64: Mitigate spectre style branch history side channels commit 558c303c9734af5a813739cd284879227f7297d2 upstream. Speculation attacks against some high-performance processors can make use of branch history to influence future speculation. When taking an exception from user-space, a sequence of branches or a firmware call overwrites or invalidates the branch history. The sequence of branches is added to the vectors, and should appear before the first indirect branch. For systems using KPTI the sequence is added to the kpti trampoline where it has a free register as the exit from the trampoline is via a 'ret'. For systems not using KPTI, the same register tricks are used to free up a register in the vectors. For the firmware call, arch-workaround-3 clobbers 4 registers, so there is no choice but to save them to the EL1 stack. This only happens for entry from EL0, so if we take an exception due to the stack access, it will not become re-entrant. For KVM, the existing branch-predictor-hardening vectors are used. When a spectre version of these vectors is in use, the firmware call is sufficient to mitigate against Spectre-BHB. For the non-spectre versions, the sequence of branches is added to the indirect vector. Reviewed-by: Catalin Marinas Cc: # # # Signed-off-by: Greg Kroah-Hartman commit 094a410426b4a5cbb0d68609050a15110124aeda Author: James Morse Date: Wed Apr 6 17:45:42 2022 +0100 KVM: arm64: Add templates for BHB mitigation sequences KVM writes the Spectre-v2 mitigation template at the beginning of each vector when a CPU requires a specific sequence to run. Because the template is copied, it can not be modified by the alternatives at runtime. As the KVM template code is intertwined with the bp-hardening callbacks, all templates must have a bp-hardening callback. Add templates for calling ARCH_WORKAROUND_3 and one for each value of K in the brancy-loop. Identify these sequences by a new parameter template_start, and add a copy of install_bp_hardening_cb() that is able to install them. Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 1451b7fe7a3689113e70d2936b92fa4d50e68371 Author: James Morse Date: Wed Apr 6 17:45:41 2022 +0100 arm64: Add percpu vectors for EL1 commit bd09128d16fac3c34b80bd6a29088ac632e8ce09 upstream. The Spectre-BHB workaround adds a firmware call to the vectors. This is needed on some CPUs, but not others. To avoid the unaffected CPU in a big/little pair from making the firmware call, create per cpu vectors. The per-cpu vectors only apply when returning from EL0. Systems using KPTI can use the canonical 'full-fat' vectors directly at EL1, the trampoline exit code will switch to this_cpu_vector on exit to EL0. Systems not using KPTI should always use this_cpu_vector. this_cpu_vector will point at a vector in tramp_vecs or __bp_harden_el1_vectors, depending on whether KPTI is in use. Reviewed-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit aee10c2dd01383a8a01111d647b6e17b9a3cc791 Author: James Morse Date: Wed Apr 6 17:45:40 2022 +0100 arm64: entry: Add macro for reading symbol addresses from the trampoline commit b28a8eebe81c186fdb1a0078263b30576c8e1f42 upstream. The trampoline code needs to use the address of symbols in the wider kernel, e.g. vectors. PC-relative addressing wouldn't work as the trampoline code doesn't run at the address the linker expected. tramp_ventry uses a literal pool, unless CONFIG_RANDOMIZE_BASE is set, in which case it uses the data page as a literal pool because the data page can be unmapped when running in user-space, which is required for CPUs vulnerable to meltdown. Pull this logic out as a macro, instead of adding a third copy of it. Reviewed-by: Catalin Marinas [ Removed SDEI for stable backport ] Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 218ddd9cb91e7bc0bb69d53fc40f600b0b217a16 Author: James Morse Date: Wed Apr 6 17:45:39 2022 +0100 arm64: entry: Add vectors that have the bhb mitigation sequences commit ba2689234be92024e5635d30fe744f4853ad97db upstream. Some CPUs affected by Spectre-BHB need a sequence of branches, or a firmware call to be run before any indirect branch. This needs to go in the vectors. No CPU needs both. While this can be patched in, it would run on all CPUs as there is a single set of vectors. If only one part of a big/little combination is affected, the unaffected CPUs have to run the mitigation too. Create extra vectors that include the sequence. Subsequent patches will allow affected CPUs to select this set of vectors. Later patches will modify the loop count to match what the CPU requires. Reviewed-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit ac965734ce0f87c194f0a666889a4f37436b2421 Author: James Morse Date: Wed Apr 6 17:45:38 2022 +0100 arm64: Move arm64_update_smccc_conduit() out of SSBD ifdef arm64_update_smccc_conduit() is an alternative callback that patches HVC/SMC. Currently the only user is SSBD. To use this for Spectre-BHB, it needs to be moved out of the SSBD #ifdef region. Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 944ecb18c729545ea73c53f9ee9b802637c549d0 Author: James Morse Date: Wed Apr 6 17:45:37 2022 +0100 arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations commit aff65393fa1401e034656e349abd655cfe272de0 upstream. kpti is an optional feature, for systems not using kpti a set of vectors for the spectre-bhb mitigations is needed. Add another set of vectors, __bp_harden_el1_vectors, that will be used if a mitigation is needed and kpti is not in use. The EL1 ventries are repeated verbatim as there is no additional work needed for entry from EL1. Reviewed-by: Russell King (Oracle) Reviewed-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit bd69a09d7d229303286a685f59b9033c384f72b1 Author: James Morse Date: Wed Apr 6 17:45:36 2022 +0100 arm64: entry: Allow the trampoline text to occupy multiple pages commit a9c406e6462ff14956d690de7bbe5131a5677dc9 upstream. Adding a second set of vectors to .entry.tramp.text will make it larger than a single 4K page. Allow the trampoline text to occupy up to three pages by adding two more fixmap slots. Previous changes to tramp_valias allowed it to reach beyond a single page. Reviewed-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 1f7da613bf57d10b0ff6807b36bd7eda27482ab6 Author: James Morse Date: Wed Apr 6 17:45:35 2022 +0100 arm64: entry: Make the kpti trampoline's kpti sequence optional commit c47e4d04ba0f1ea17353d85d45f611277507e07a upstream. Spectre-BHB needs to add sequences to the vectors. Having one global set of vectors is a problem for big/little systems where the sequence is costly on cpus that are not vulnerable. Making the vectors per-cpu in the style of KVM's bh_harden_hyp_vecs requires the vectors to be generated by macros. Make the kpti re-mapping of the kernel optional, so the macros can be used without kpti. Reviewed-by: Russell King (Oracle) Reviewed-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 283bcb8f640ecc3e4a74f5084c15cdd9ce350951 Author: James Morse Date: Wed Apr 6 17:45:34 2022 +0100 arm64: entry: Move trampoline macros out of ifdef'd section commit 13d7a08352a83ef2252aeb464a5e08dfc06b5dfd upstream. The macros for building the kpti trampoline are all behind CONFIG_UNMAP_KERNEL_AT_EL0, and in a region that outputs to the .entry.tramp.text section. Move the macros out so they can be used to generate other kinds of trampoline. Only the symbols need to be guarded by CONFIG_UNMAP_KERNEL_AT_EL0 and appear in the .entry.tramp.text section. Reviewed-by: Russell King (Oracle) Reviewed-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 2ce6f5deed712c6768e5b19ac4e23d4aaa828ff4 Author: James Morse Date: Wed Apr 6 17:45:33 2022 +0100 arm64: entry: Don't assume tramp_vectors is the start of the vectors commit ed50da7764535f1e24432ded289974f2bf2b0c5a upstream. The tramp_ventry macro uses tramp_vectors as the address of the vectors when calculating which ventry in the 'full fat' vectors to branch to. While there is one set of tramp_vectors, this will be true. Adding multiple sets of vectors will break this assumption. Move the generation of the vectors to a macro, and pass the start of the vectors as an argument to tramp_ventry. Reviewed-by: Russell King (Oracle) Reviewed-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 99cbe345732d49d4626052908754259ac9222bb2 Author: James Morse Date: Wed Apr 6 17:45:32 2022 +0100 arm64: entry: Allow tramp_alias to access symbols after the 4K boundary commit 6c5bf79b69f911560fbf82214c0971af6e58e682 upstream. Systems using kpti enter and exit the kernel through a trampoline mapping that is always mapped, even when the kernel is not. tramp_valias is a macro to find the address of a symbol in the trampoline mapping. Adding extra sets of vectors will expand the size of the entry.tramp.text section to beyond 4K. tramp_valias will be unable to generate addresses for symbols beyond 4K as it uses the 12 bit immediate of the add instruction. As there are now two registers available when tramp_alias is called, use the extra register to avoid the 4K limit of the 12 bit immediate. Reviewed-by: Russell King (Oracle) Reviewed-by: Catalin Marinas [ Removed SDEI for backport ] Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit ee04ed16acb65f7dfde8cb74ae774f4314c5c816 Author: James Morse Date: Wed Apr 6 17:45:31 2022 +0100 arm64: entry: Move the trampoline data page before the text page commit c091fb6ae059cda563b2a4d93fdbc548ef34e1d6 upstream. The trampoline code has a data page that holds the address of the vectors, which is unmapped when running in user-space. This ensures that with CONFIG_RANDOMIZE_BASE, the randomised address of the kernel can't be discovered until after the kernel has been mapped. If the trampoline text page is extended to include multiple sets of vectors, it will be larger than a single page, making it tricky to find the data page without knowing the size of the trampoline text pages, which will vary with PAGE_SIZE. Move the data page to appear before the text page. This allows the data page to be found without knowing the size of the trampoline text pages. 'tramp_vectors' is used to refer to the beginning of the .entry.tramp.text section, do that explicitly. Reviewed-by: Russell King (Oracle) Reviewed-by: Catalin Marinas [ removed SDEI for backport ] Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit a212d166a9d7c35e56ba11f15d6706eee3dd499b Author: James Morse Date: Wed Apr 6 17:45:30 2022 +0100 arm64: entry: Free up another register on kpti's tramp_exit path commit 03aff3a77a58b5b52a77e00537a42090ad57b80b upstream. Kpti stashes x30 in far_el1 while it uses x30 for all its work. Making the vectors a per-cpu data structure will require a second register. Allow tramp_exit two registers before it unmaps the kernel, by leaving x30 on the stack, and stashing x29 in far_el1. Reviewed-by: Russell King (Oracle) Reviewed-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 6835855140dc7adecd5af713a17d488f93fd8226 Author: James Morse Date: Wed Apr 6 17:45:29 2022 +0100 arm64: entry: Make the trampoline cleanup optional commit d739da1694a0eaef0358a42b76904b611539b77b upstream. Subsequent patches will add additional sets of vectors that use the same tricks as the kpti vectors to reach the full-fat vectors. The full-fat vectors contain some cleanup for kpti that is patched in by alternatives when kpti is in use. Once there are additional vectors, the cleanup will be needed in more cases. But on big/little systems, the cleanup would be harmful if no trampoline vector were in use. Instead of forcing CPUs that don't need a trampoline vector to use one, make the trampoline cleanup optional. Entry at the top of the vectors will skip the cleanup. The trampoline vectors can then skip the first instruction, triggering the cleanup to run. Reviewed-by: Russell King (Oracle) Reviewed-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 0a59e9cf1f29f446ab5a3dc91a23af8ca0cf5bea Author: James Morse Date: Wed Apr 6 17:45:28 2022 +0100 arm64: entry.S: Add ventry overflow sanity checks commit 4330e2c5c04c27bebf89d34e0bc14e6943413067 upstream. Subsequent patches add even more code to the ventry slots. Ensure kernels that overflow a ventry slot don't get built. Reviewed-by: Russell King (Oracle) Reviewed-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit f28446994a55b1f8b67cb215d7913cce67d2275e Author: Suzuki K Poulose Date: Wed Apr 6 17:45:27 2022 +0100 arm64: Add helper to decode register from instruction commit 8c2dcbd2c4443bad0b4242fb62baa47b260b8f79 upstream. Add a helper to extract the register field from a given instruction. Cc: Catalin Marinas Cc: Will Deacon Cc: Mark Rutland Reviewed-by: Catalin Marinas Signed-off-by: Suzuki K Poulose Signed-off-by: Will Deacon Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 670b93fd605d5ffefb36d0d16fd785f5e9e6fac2 Author: Anshuman Khandual Date: Wed Apr 6 17:45:26 2022 +0100 arm64: Add Cortex-X2 CPU part definition commit 72bb9dcb6c33cfac80282713c2b4f2b254cd24d1 upstream. Add the CPU Partnumbers for the new Arm designs. Cc: Will Deacon Cc: Suzuki Poulose Cc: linux-arm-kernel@lists.infradead.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Anshuman Khandual Reviewed-by: Suzuki K Poulose Link: https://lore.kernel.org/r/1642994138-25887-2-git-send-email-anshuman.khandual@arm.com Signed-off-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 1afa33de99dd8cd80034a609a5b370cc69562566 Author: Suzuki K Poulose Date: Wed Apr 6 17:45:25 2022 +0100 arm64: Add Neoverse-N2, Cortex-A710 CPU part definition commit 2d0d656700d67239a57afaf617439143d8dac9be upstream. Add the CPU Partnumbers for the new Arm designs. Cc: Catalin Marinas Cc: Mark Rutland Cc: Will Deacon Acked-by: Catalin Marinas Reviewed-by: Anshuman Khandual Signed-off-by: Suzuki K Poulose Link: https://lore.kernel.org/r/20211019163153.3692640-2-suzuki.poulose@arm.com Signed-off-by: Will Deacon Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 718af13fd84ce19b8616eb4bce7b14aab5aed6d7 Author: Rob Herring Date: Wed Apr 6 17:45:24 2022 +0100 arm64: Add part number for Arm Cortex-A77 commit 8a6b88e66233f5f1779b0a1342aa9dc030dddcd5 upstream. Add the MIDR part number info for the Arm Cortex-A77. Signed-off-by: Rob Herring Acked-by: Catalin Marinas Cc: Catalin Marinas Cc: Will Deacon Link: https://lore.kernel.org/r/20201028182839.166037-1-robh@kernel.org Signed-off-by: Will Deacon Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit fee9d5888a9044c67b37e131db30e5df3f6d2a1f Author: Marc Zyngier Date: Wed Apr 6 17:45:23 2022 +0100 arm64: Add part number for Neoverse N1 commit 0cf57b86859c49381addb3ce47be70aadf5fd2c0 upstream. New CPU, new part number. You know the drill. Signed-off-by: Marc Zyngier Signed-off-by: Will Deacon Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 47efac06a2772e29365c5d7e4931b2a79137fbf9 Author: Marc Zyngier Date: Wed Apr 6 17:45:22 2022 +0100 arm64: Make ARM64_ERRATUM_1188873 depend on COMPAT commit c2b5bba3967a000764e9148e6f020d776b7ecd82 upstream. Since ARM64_ERRATUM_1188873 only affects AArch32 EL0, it makes some sense that it should depend on COMPAT. Signed-off-by: Marc Zyngier Signed-off-by: Will Deacon Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 68a685e018abab26fd2770e9d104d1d33623a523 Author: Marc Zyngier Date: Wed Apr 6 17:45:21 2022 +0100 arm64: Add silicon-errata.txt entry for ARM erratum 1188873 commit e03a4e5bb7430f9294c12f02c69eb045d010e942 upstream. Document that we actually work around ARM erratum 1188873 Fixes: 95b861a4a6d9 ("arm64: arch_timer: Add workaround for ARM erratum 1188873") Signed-off-by: Marc Zyngier Signed-off-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 89a512adceab99c99ea9d8ef3372181ec9fdef38 Author: Arnd Bergmann Date: Wed Apr 6 17:45:20 2022 +0100 arm64: arch_timer: avoid unused function warning commit 040f340134751d73bd03ee92fabb992946c55b3d upstream. arm64_1188873_read_cntvct_el0() is protected by the correct CONFIG_ARM64_ERRATUM_1188873 #ifdef, but the only reference to it is also inside of an CONFIG_ARM_ARCH_TIMER_OOL_WORKAROUND section, and causes a warning if that is disabled: drivers/clocksource/arm_arch_timer.c:323:20: error: 'arm64_1188873_read_cntvct_el0' defined but not used [-Werror=unused-function] Since the erratum requires that we always apply the workaround in the timer driver, select that symbol as we do for SoC specific errata. Fixes: 95b861a4a6d9 ("arm64: arch_timer: Add workaround for ARM erratum 1188873") Acked-by: Marc Zyngier Signed-off-by: Arnd Bergmann Signed-off-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 501d9435c7161ccc693381e4753d4b895665370a Author: Marc Zyngier Date: Wed Apr 6 17:45:19 2022 +0100 arm64: arch_timer: Add workaround for ARM erratum 1188873 commit 95b861a4a6d94f64d5242605569218160ebacdbe upstream. When running on Cortex-A76, a timer access from an AArch32 EL0 task may end up with a corrupted value or register. The workaround for this is to trap these accesses at EL1/EL2 and execute them there. This only affects versions r0p0, r1p0 and r2p0 of the CPU. Acked-by: Mark Rutland Signed-off-by: Marc Zyngier Signed-off-by: Catalin Marinas Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit ba072295630fece57622f60b73756064bbaee26e Author: Marc Zyngier Date: Wed Apr 6 17:45:18 2022 +0100 arm64: arch_timer: Add erratum handler for CPU-specific capability commit 0064030c6fd4ca6cfab42de037b2a89445beeead upstream. Should we ever have a workaround for an erratum that is detected using a capability and affecting a particular CPU, it'd be nice to have a way to probe them directly. Acked-by: Thomas Gleixner Signed-off-by: Marc Zyngier Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit f4a88eb6b1785a3489c157d76b05aa74b407979b Author: Marc Zyngier Date: Wed Apr 6 17:45:17 2022 +0100 arm64: arch_timer: Add infrastructure for multiple erratum detection methods commit 651bb2e9dca6e6dbad3fba5f6e6086a23575b8b5 upstream. We're currently stuck with DT when it comes to handling errata, which is pretty restrictive. In order to make things more flexible, let's introduce an infrastructure that could support alternative discovery methods. No change in functionality. Acked-by: Thomas Gleixner Reviewed-by: Hanjun Guo Signed-off-by: Marc Zyngier [ morse: Removed the changes to HiSilicon erratum 161010101, which isn't present in v4.9 ] Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 7a48b35f0cd3174ef1654005c6e991a2c625f0d9 Author: Ding Tianhong Date: Wed Apr 6 17:45:16 2022 +0100 clocksource/drivers/arm_arch_timer: Introduce generic errata handling infrastructure commit 16d10ef29f25aba923779234bb93a451b14d20e6 upstream. Currently we have code inline in the arch timer probe path to cater for Freescale erratum A-008585, complete with ifdeffery. This is a little ugly, and will get worse as we try to add more errata handling. This patch refactors the handling of Freescale erratum A-008585. Now the erratum is described in a generic arch_timer_erratum_workaround structure, and the probe path can iterate over these to detect errata and enable workarounds. This will simplify the addition and maintenance of code handling Hisilicon erratum 161010101. Signed-off-by: Ding Tianhong [Mark: split patch, correct Kconfig, reword commit message] Signed-off-by: Mark Rutland Acked-by: Daniel Lezcano Signed-off-by: Daniel Lezcano Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit fda5a883b23742dce4bc7774f98b4c06a0a50818 Author: Ding Tianhong Date: Wed Apr 6 17:45:15 2022 +0100 clocksource/drivers/arm_arch_timer: Remove fsl-a008585 parameter commit 5444ea6a7f46276876e94ecf8d44615af1ef22f7 upstream. Having a command line option to flip the errata handling for a particular erratum is a little bit unusual, and it's vastly superior to pass this in the DT. By common consensus, it's best to kill off the command line parameter. Signed-off-by: Ding Tianhong [Mark: split patch, reword commit message] Signed-off-by: Mark Rutland Acked-by: Daniel Lezcano Signed-off-by: Daniel Lezcano Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit c6815504d991c462842350479359c06fdbe4b739 Author: Suzuki K Poulose Date: Wed Apr 6 17:45:14 2022 +0100 arm64: capabilities: Add support for checks based on a list of MIDRs [ Upstream commit be5b299830c63ed76e0357473c4218c85fb388b3 ] Add helpers for detecting an errata on list of midr ranges of affected CPUs, with the same work around. Cc: Will Deacon Cc: Mark Rutland Cc: Ard Biesheuvel Reviewed-by: Dave Martin Signed-off-by: Suzuki K Poulose Signed-off-by: Will Deacon [ardb: add Cortex-A35 to kpti_safe_list[] as well] Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit c771d4ceebfc3a75a42f3ef02e6f82a69e541bf2 Author: Suzuki K Poulose Date: Wed Apr 6 17:45:13 2022 +0100 arm64: Add helpers for checking CPU MIDR against a range [ Upstream commit 1df310505d6d544802016f6bae49aab836ae8510 ] Add helpers for checking if the given CPU midr falls in a range of variants/revisions for a given model. Cc: Will Deacon Cc: Mark Rutland Cc: Ard Biesheuvel Reviewed-by: Dave Martin Signed-off-by: Suzuki K Poulose Signed-off-by: Will Deacon Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit e531d7f7ae066f92c6f915e2be0487e7feeda2d2 Author: Suzuki K Poulose Date: Wed Apr 6 17:45:12 2022 +0100 arm64: capabilities: Clean up midr range helpers [ Upstream commit 5e7951ce19abf4113645ae789c033917356ee96f ] We are about to introduce generic MIDR range helpers. Clean up the existing helpers in erratum handling, preparing them to use generic version. Cc: Will Deacon Cc: Mark Rutland Cc: Ard Biesheuvel Reviewed-by: Dave Martin Signed-off-by: Suzuki K Poulose Signed-off-by: Will Deacon Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit b49720bc6407265d84efc73c14791c7f2c8378f8 Author: Suzuki K Poulose Date: Wed Apr 6 17:45:11 2022 +0100 arm64: capabilities: Add flags to handle the conflicts on late CPU [ Upstream commit 5b4747c5dce7a873e1e7fe1608835825f714267a ] When a CPU is brought up, it is checked against the caps that are known to be enabled on the system (via verify_local_cpu_capabilities()). Based on the state of the capability on the CPU vs. that of System we could have the following combinations of conflict. x-----------------------------x | Type | System | Late CPU | |-----------------------------| | a | y | n | |-----------------------------| | b | n | y | x-----------------------------x Case (a) is not permitted for caps which are system features, which the system expects all the CPUs to have (e.g VHE). While (a) is ignored for all errata work arounds. However, there could be exceptions to the plain filtering approach. e.g, KPTI is an optional feature for a late CPU as long as the system already enables it. Case (b) is not permitted for errata work arounds that cannot be activated after the kernel has finished booting.And we ignore (b) for features. Here, yet again, KPTI is an exception, where if a late CPU needs KPTI we are too late to enable it (because we change the allocation of ASIDs etc). Add two different flags to indicate how the conflict should be handled. ARM64_CPUCAP_PERMITTED_FOR_LATE_CPU - CPUs may have the capability ARM64_CPUCAP_OPTIONAL_FOR_LATE_CPU - CPUs may not have the cappability. Now that we have the flags to describe the behavior of the errata and the features, as we treat them, define types for ERRATUM and FEATURE. Cc: Will Deacon Cc: Mark Rutland Reviewed-by: Dave Martin Signed-off-by: Suzuki K Poulose Signed-off-by: Will Deacon Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 3d108b78c2f55882b7cb871af0fe8789e8d6564e Author: Suzuki K Poulose Date: Wed Apr 6 17:45:10 2022 +0100 arm64: capabilities: Prepare for fine grained capabilities [ Upstream commit 143ba05d867af34827faf99e0eed4de27106c7cb ] We use arm64_cpu_capabilities to represent CPU ELF HWCAPs exposed to the userspace and the CPU hwcaps used by the kernel, which include cpu features and CPU errata work arounds. Capabilities have some properties that decide how they should be treated : 1) Detection, i.e scope : A cap could be "detected" either : - if it is present on at least one CPU (SCOPE_LOCAL_CPU) Or - if it is present on all the CPUs (SCOPE_SYSTEM) 2) When is it enabled ? - A cap is treated as "enabled" when the system takes some action based on whether the capability is detected or not. e.g, setting some control register, patching the kernel code. Right now, we treat all caps are enabled at boot-time, after all the CPUs are brought up by the kernel. But there are certain caps, which are enabled early during the boot (e.g, VHE, GIC_CPUIF for NMI) and kernel starts using them, even before the secondary CPUs are brought up. We would need a way to describe this for each capability. 3) Conflict on a late CPU - When a CPU is brought up, it is checked against the caps that are known to be enabled on the system (via verify_local_cpu_capabilities()). Based on the state of the capability on the CPU vs. that of System we could have the following combinations of conflict. x-----------------------------x | Type | System | Late CPU | ------------------------------| | a | y | n | ------------------------------| | b | n | y | x-----------------------------x Case (a) is not permitted for caps which are system features, which the system expects all the CPUs to have (e.g VHE). While (a) is ignored for all errata work arounds. However, there could be exceptions to the plain filtering approach. e.g, KPTI is an optional feature for a late CPU as long as the system already enables it. Case (b) is not permitted for errata work arounds which requires some work around, which cannot be delayed. And we ignore (b) for features. Here, yet again, KPTI is an exception, where if a late CPU needs KPTI we are too late to enable it (because we change the allocation of ASIDs etc). So this calls for a lot more fine grained behavior for each capability. And if we define all the attributes to control their behavior properly, we may be able to use a single table for the CPU hwcaps (which cover errata and features, not the ELF HWCAPs). This is a prepartory step to get there. More bits would be added for the properties listed above. We are going to use a bit-mask to encode all the properties of a capabilities. This patch encodes the "SCOPE" of the capability. As such there is no change in how the capabilities are treated. Cc: Mark Rutland Reviewed-by: Dave Martin Signed-off-by: Suzuki K Poulose Signed-off-by: Will Deacon Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 454f7ba3b36b16ff8ff73f9ad1c88deb006a2dea Author: Suzuki K Poulose Date: Wed Apr 6 17:45:09 2022 +0100 arm64: capabilities: Move errata processing code [ Upstream commit 1e89baed5d50d2b8d9fd420830902570270703f1 ] We have errata work around processing code in cpu_errata.c, which calls back into helpers defined in cpufeature.c. Now that we are going to make the handling of capabilities generic, by adding the information to each capability, move the errata work around specific processing code. No functional changes. Cc: Will Deacon Cc: Marc Zyngier Cc: Mark Rutland Cc: Andre Przywara Reviewed-by: Dave Martin Signed-off-by: Suzuki K Poulose Signed-off-by: Will Deacon Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit b63ccc3ae93e1bc24fce55df25d5c12db652e6d8 Author: Suzuki K Poulose Date: Wed Apr 6 17:45:08 2022 +0100 arm64: capabilities: Move errata work around check on boot CPU [ Upstream commit 5e91107b06811f0ca147cebbedce53626c9c4443 ] We trigger CPU errata work around check on the boot CPU from smp_prepare_boot_cpu() to make sure that we run the checks only after the CPU feature infrastructure is initialised. While this is correct, we can also do this from init_cpu_features() which initilises the infrastructure, and is called only on the Boot CPU. This helps to consolidate the CPU capability handling to cpufeature.c. No functional changes. Cc: Will Deacon Cc: Catalin Marinas Cc: Mark Rutland Reviewed-by: Dave Martin Signed-off-by: Suzuki K Poulose Signed-off-by: Will Deacon Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 3f74ad6849fff85a7a4183a0038e998a457c9a9a Author: Dave Martin Date: Wed Apr 6 17:45:07 2022 +0100 arm64: capabilities: Update prototype for enable call back [ Upstream commit c0cda3b8ee6b4b6851b2fd8b6db91fd7b0e2524a ] We issue the enable() call back for all CPU hwcaps capabilities available on the system, on all the CPUs. So far we have ignored the argument passed to the call back, which had a prototype to accept a "void *" for use with on_each_cpu() and later with stop_machine(). However, with commit 0a0d111d40fd1 ("arm64: cpufeature: Pass capability structure to ->enable callback"), there are some users of the argument who wants the matching capability struct pointer where there are multiple matching criteria for a single capability. Clean up the declaration of the call back to make it clear. 1) Renamed to cpu_enable(), to imply taking necessary actions on the called CPU for the entry. 2) Pass const pointer to the capability, to allow the call back to check the entry. (e.,g to check if any action is needed on the CPU) 3) We don't care about the result of the call back, turning this to a void. Cc: Will Deacon Cc: Catalin Marinas Cc: Mark Rutland Cc: Andre Przywara Cc: James Morse Acked-by: Robin Murphy Reviewed-by: Julien Thierry Signed-off-by: Dave Martin [suzuki: convert more users, rename call back and drop results] Signed-off-by: Suzuki K Poulose Signed-off-by: Will Deacon Signed-off-by: Ard Biesheuvel Signed-off-by: Greg Kroah-Hartman Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 72c5ba547548783c7af3979f16f0eafb1ca9092b Author: Suzuki K Poulose Date: Wed Apr 6 17:45:06 2022 +0100 arm64: Add MIDR encoding for Arm Cortex-A55 and Cortex-A35 commit 6e616864f21160d8d503523b60a53a29cecc6f24 upstream. Update the MIDR encodings for the Cortex-A55 and Cortex-A35 Cc: Mark Rutland Reviewed-by: Dave Martin Signed-off-by: Suzuki K Poulose Signed-off-by: Will Deacon Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 7f319f30e417373dd865a54a8748a87e2e0d6ec2 Author: James Morse Date: Wed Apr 6 17:45:05 2022 +0100 arm64: Remove useless UAO IPI and describe how this gets enabled commit c8b06e3fddddaae1a87ed479edcb8b3d85caecc7 upstream. Since its introduction, the UAO enable call was broken, and useless. commit 2a6dcb2b5f3e ("arm64: cpufeature: Schedule enable() calls instead of calling them via IPI"), fixed the framework so that these calls are scheduled, so that they can modify PSTATE. Now it is just useless. Remove it. UAO is enabled by the code patching which causes get_user() and friends to use the 'ldtr' family of instructions. This relies on the PSTATE.UAO bit being set to match addr_limit, which we do in uao_thread_switch() called via __switch_to(). All that is needed to enable UAO is patch the code, and call schedule(). __apply_alternatives_multi_stop() calls stop_machine() when it modifies the kernel text to enable the alternatives, (including the UAO code in uao_thread_switch()). Once stop_machine() has finished __switch_to() is called to reschedule the original task, this causes PSTATE.UAO to be set appropriately. An explicit enable() call is not needed. Reported-by: Vladimir Murzin Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman commit 6e1ad7a49b2e6fe5c6932e84145dd5bfd08ae937 Author: Robert Richter Date: Wed Apr 6 17:45:04 2022 +0100 arm64: errata: Provide macro for major and minor cpu revisions commit fa5ce3d1928c441c3d241c34a00c07c8f5880b1a upstream Definition of cpu ranges are hard to read if the cpu variant is not zero. Provide MIDR_CPU_VAR_REV() macro to describe the full hardware revision of a cpu including variant and (minor) revision. Signed-off-by: Robert Richter Signed-off-by: Will Deacon [ morse: some parts of this patch were already backported as part of b8c320884eff003581ee61c5970a2e83f513eff1 ] Signed-off-by: James Morse Signed-off-by: Greg Kroah-Hartman